(Revised: 06/2018)

Introduction: The entire concept of business continuity is based on the identification of all business functions and critical infrastructure within a state entity in order to assign a level of importance to each business function and infrastructure (including critical infrastructure). A business impact assessment (BIA) is the primary tool for gathering this information and assigning criticality, recovery point objectives, and recovery time objectives; along with the identification of critical information systems, critical infrastructure systems and information supporting critical business functions and critical infrastructure. Therefore, the BIA is part of the basic foundation of contingency planning, business continuity and technology recovery development.

Policy: Each state entity shall ensure individuals with knowledge about business functions, and the critical infrastructure and infrastructure systems of the organization lead and participate in the business continuity planning process to:

  1. Identify and document all business functions and critical infrastructure;
  2. Conduct a business impact assessment to identify:
    1. critical business functions, critical infrastructure information and controls, and the supporting information systems; prioritizing them based on necessity;
    2. threats and vulnerabilities; and
    3. preventive controls and countermeasures to reduce the state entity’s risk level.
  3. Develop recovery strategies to ensure systems, functions and infrastructure can be brought online quickly;
  4. Develop the Business Continuity Plan to include procedures for how the state entity will stay functional and how critical infrastructures will continue providing necessary services in a disastrous state;
  5. Conduct regular training to prepare individuals on their expected tasks;
  6. Conduct regular tests and exercises to identify any deficiencies and further refine the plan; and
  7. Develop steps to ensure the Business Continuity Plan is maintained and updated regularly.

Note: The Business Continuity Plan must also address the Office of Emergency Services’ continuity planning requirements. These are available at:

Implementation Controls: NIST SP 800-34; NIST SP 800-53: Contingency Planning (CP)


No Revisions for this item.

Search Entire Manual

Print Entire SAM